Zombieload 2: Patches for CentOS, RHEL & OEL are ready
KernelCare Team has released Centos7, Centos7-Plus, RHEL7, OEL 7 patches for CVE-2018-12207 to the production feed.
KernelCare users will receive the patches automatically. If you have installed the patches from the test feed – production updates will be applied automatically.
We are working on the patches for the rest of the distributions at the moment.
Subscribe to our blog to get the update about the patches in production.
About the CVE-2018–12207: Processor Machine Check Error (MCEPSC or iTLB multihit)
The Processor Machine Check Error vulnerability affects virtualized environments.
Exploitation of this vulnerability can result in the host system hanging when Extended Page Tables (EPT) are enabled.
Other CVEs from Zombieload2 Set of Vulnerabilities:
1. CVE-2019–11135: TSX Asynchronous Abort (TAA)
This affects Intel chips with the Transactional Synchronization Extensions (TSX) feature.
It is similar to earlier MDS vulnerabilities, so if you’ve applied remediations for MDS, you will also be safe from this vulnerability.
However, if you’ve a newer Intel CPU with TSX enabled that’s not affected by MDS, you’ll need to update your CPU’s microcode and patch the kernel.
TSA (CVE-2019–11135) is taken care of by MDS mitigation on all kernels supported by KernelCare. KernelCare enforces MDS on all CPUs which are not in white-list. Currently there are no TSA-affected CPUs in this white-list, so no additional patches from KernelCare are required to mitigate TSA. We are recommending to those with TSA-affected CPUs to update to latest CPU microcode from their vendor.
2. CVE-2019–0155, CVE-2019–0154: i915 graphics hardware
CVE-2019–0155 can give an unprivileged user elevated system privileges.
CVE-2019–0154 can let an unprivileged user hang the system (effectively creating a DoS situation) by reading from specific memory locations (MMIO registers) when the graphic card’s power management goes to a particular minimal power usage state.
What we’re doing
As with all major vulnerabilities, as soon as the KernelCare monitoring team hear about it, developers and analysts begin the detailed process of investigating, assessing, developing and coding patches for our KernelCare Linux kernel live patching software.
We have started delivering first patches and will report here we progress and will provide migration instructions and patch locations when ready. Subscribe to our blog to get instant update.